New threats and scams are always being created by mischievous people. For example, new threats from malware (e.g., worms, viruses, and spyware) occur with increasing frequency. As a result, organizations must remain vigilant in identifying new threats and scams to prevent and deter malicious behavior. Such vigilance is not only wise to prevent theft or fraud, but can be legally (e.g., Sarbanes-Oxley in the United States) or contractually required in various contexts. In addition to new threats, organizations need to monitor for known threats including variation thereof. As a result, many large organizations employ one or more employees that act as a security analyst or a fraud analyst. Smaller organizations often cannot afford to employ these employees, but nonetheless need to prevent and/or detect these threats.
Security or fraud analysts, where employed, often analyze large amounts of data to identify suspicious behavior, or anomalies, within otherwise normal behavior. For example, network security analysts at large organizations are often responsible for reviewing potentially millions of new entries each day looking for potential malicious behavior on a computer network. In this scenario, an entry, for example, can correspond to a network computer accessing the network (e.g., corporate network, Internet) or accessing one or more internal servers. Malicious behavior on the network can include malware or the introduction of unauthorized computers on the network. If an anomaly corresponds with misuse or fraud, corrective action can be taken manually by the analyst or other personnel. Such corrective action can include temporarily disabling the computer, removing malware, and/or notifying law enforcement authorities.
In order to assist analysts with the task of analyzing such a large amount of data, computerized systems have been developed. These systems include intrusion detection systems and fraud detection systems. For example, some systems use rules to determine if an entry corresponds with normal activity. If not, an alert is sent to an analyst for further analysis. However, since any non-normal entry is sent to the analyst, there can still be an unmanageable number of entries to review. In addition, the dichotomy between normal and non-normal entries prevents prioritization based on the potential severity of the misuse or fraud. Furthermore, such systems can be hard to maintain with large numbers of rules.
Signature-based systems have also been created. These systems rely on signatures of malicious events to detect anomalies. While signature-based alerts can help identify such malicious behavior, they often miss new or very rare events since the default assumption (e.g., if there is no signature) is the behavior is normal. In addition, such systems can be hard to maintain with large number of signatures.
The above-described deficiencies of malicious behavior detection/prevention techniques are merely intended to provide an overview of some of the problems of today's detection techniques, and are not intended to be exhaustive. Other problems with the state of the art can become further apparent upon review of the description of various non-limiting embodiments of the invention that follows.